A Red-Queen Race for IT Security Innovation

Image: bijoubaby/Flickr

In Lewis Carroll’s “Through the Looking-Glass,” Alice asks the Red Queen how it’s possible to constantly run but never move forward. The queen explains, “…here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that.” That sounds like fictional nonsense; unfortunately, the Red Queen effect is an all-too real phenomenon in IT security, where the threat market is gaining ground, no matter how fast enterprise leaders run.

After 20 successful years of building and selling security products to the enterprise, I know that nobody wants to buy security products. Don’t get me wrong; enterprises do buy them, but not because they want to. After all, security products don’t enable any business function or implement any organizational workflow. Instead, they are insurance policies against bad things that can happen, and enterprises want that insurance, especially as the variety and severity of threats rise.

As one of the founders of Check Point (CHKP), I helped create the network security market and then I created the data center security market 10 years later with Imperva (IMPV). Over these two decades, I also invested in numerous security companies, and yes, business is good. That’s because the enterprise has to protect itself from a threat landscape consistently increasing in scope and sophistication. As threats increase, though, IT security must run faster and faster merely to stay in the same place – unless enterprises augment their approaches.

The threat market holds the lead When we started Check Point and up until a decade ago, hackers’ motivations ranged from curiosity to ego and revenge. In the last decade, hacking has become a more serious industry. Sophisticated, organized groups in pursuit of monetary gains have created a sizable cyber crime industry. State-sponsored industrial espionage, political terrorism groups and above all, cyber warfare, continue to exert pressure on enterprises, which need more and more insurance to protect valuable, critical business data and processes.

There are two markets at play here: the threat market and the security market. These two are competing against each other, and the threat market is gaining momentum against security forces. This should greatly alarm not only the enterprise, but also anyone who is concerned with our national infrastructure. This trend can be reversed if enterprises have a full understanding of its causes and commit to proactive remedies.

The threat market operates by simple economical drivers. Hackers continuously improve the sophistication of their attacks to circumvent existing security solutions, such as anti-virus and network firewalls. They want access to the valuable data and critical business processes, both of which are primarily located in the datacenter in the form of databases, Web applications and other assets. The threat market is an agile force that adapts quickly to change, and that’s why it wins when it runs the Red-Queen race against IT security.

The enterprise, on the other hand, is constantly shifting its defensive stance just to maintain a consistent pace. For these companies, security solutions are emotional purchases prone to the confusing positioning put forth by incumbent players. In many cases, vendors’ solutions have been circumvented by new, more sophisticated threats, but vendors continue to push the same insurance policies anyway, even though the threats are ever changing.

A winning strategy for IT security We have reached the point today where more than 90 percent of data being taken from organizations comes from the data center, but less than 5 percent of security budgets are dedicated to protecting that asset. This is a scary dislocation and one we cannot afford, not only because of the potential financial losses to enterprises, but increasingly because of the cyber warfare and political terrorism risks to the nation’s infrastructure.

Like with many other free markets that fail to manage themselves, the security market has a problem that can be solved in part by regulation. Indeed, in the last decade there has been increased regulation and legislation across the globe and throughout all industry verticals. These regulations are forcing organizations to take responsibility for security in an adequate way. The other remedy the market needs is greater awareness. That fix is coming, thanks to various disclosure laws, the sheer volume of security breaches and the attention of the public. Running faster won’t help enterprises overtake threatening forces, but informed regulation and awareness can dramatically change the dynamics of the IT security race.

Shlomo Kramer is an angel investor and entrepreneur in the IT security market and is founder and CEO of Silicon Valley-based Imperva, which provides businesses with database and application security solutions.